Ransomware actors are deploying a growing array of data exfiltration tools in their attacks and, over the past three months alone, Symantec has found attackers using at least a dozen different tools capable of data exfiltration. While some exfiltration tools are malware, the vast majority are dual-use – legitimate software used by the attackers for malicious purposes. Double extortion attacks are now standard practice for most ransomware operators. In addition to encrypting files, attackers steal data from victims and threaten to release it unless the ransom is paid. The tactic has proven to be effective, supplying attackers with more leverage to use against organizations that may be able to restore encrypted files from backups. The range of tools now being used by ransomware actors for exfiltration is growing. It would appear that this trend is driven by two factors: A growing awareness among attackers of the potential functionality in certain types of software; and a desire to find lesser-known alternatives to tools that have gained a reputation for malicious usage.
Disclaimer: This article is part of X-Force OSINT Advisories’ automated collection to enable faster integration of open-source articles to client environments. All credit and copyright goes to the original authors.
Reference: https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomware-data-exfiltration
Sample Indicators of Compromise:
837fa64038a1e46494b581020606c386fbd79898aab9f38f90df8cfa7d4599ecd1144b0fb4e1e8e5104c8bb90b54efcf964ce4fca482ee2f00698f871af9cb72ea38cff329692f6b4c8ade15970b742a9a8bb62a44f59227c510cb2882fa436f486b2c2b0ca934ab63a9cf9f4b660768ad34c8df85e6f070aec0b6a63f09b0d88b23414492ebf97a36d53d6a9e88711a830cbfb007be756df4819b8989140c2d
